Novell Access Manager 3.1 SP3 Installation guide

Novell®

www.novell.com

AUTHORIZED DOCUMENTATION

Access Manager

3.1 SP3

February 02, 2011

Installation Guide

Legal Notices

Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and

specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.

Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time,

without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims

any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.,

reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to

notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the

trade laws of other countries. You agree to comply with all export control regulations and to obtain any required

licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on

the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws.

You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the

Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on

exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export

approvals.

stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc.

404 Wyman Street, Suite 500

Waltham, MA 02451

U.S.A.

www.novell.com

Online Documentation: To access the latest online documentation for this and other Novell products, see

the Novell Documentation Web page (http://www.novell.com/documentation).

Novell Trademarks

For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/

trademarks/tmlist.html).

Third-Party Materials

All third-party trademarks are the property of their respective owners.

4 Novell Access Manager 3.1 SP3 Installation Guide

Contents 5

Contents

About This Guide 11

1 What’s New in Access Manager 3.1 SP3 13

1.1 Identity Server Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1.2 Access Gateway Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

1.3 Administration Console Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

1.4 NAT Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

1.5 LDAP Rebind . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2 Novell Access Manager Product Overview 17

2.1 How Access Manager Solves Business Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2.1.1 Protecting Resources While Providing Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2.1.2 Managing Passwords with Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2.1.3 Enforcing Business Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

2.1.4 Sharing Identity Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

2.1.5 Protecting Identity Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.1.6 Complying with Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

2.2 How Access Manager Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

2.2.1 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

2.2.2 Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

2.2.3 Identity Injection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

2.2.4 Identity Federation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

2.2.5 SSL Renegotiation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

2.3 Access Manager Devices and Their Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

2.3.1 Administration Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

2.3.2 Identity Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

2.3.3 Access Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

2.3.4 SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

2.3.5 J2EE Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

2.3.6 Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

2.3.7 Certificate Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

2.3.8 Auditing and Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

2.3.9 Embedded Service Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

2.3.10 The User Portal Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

2.3.11 Language Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

3 Installation Requirements 35

3.1 Recommended Installation Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

3.1.1 Basic Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

3.1.2 High Availability Configuration with Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . 37

3.2 Hardware Platform Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

3.3 Network Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

3.4 Administration Console Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

3.4.1 Linux Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

3.4.2 Windows Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

3.4.3 Browser Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

3.5 Identity Server Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

3.5.1 Linux Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

6 Novell Access Manager 3.1 SP3 Installation Guide

3.5.2 Windows Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

3.6 Access Gateway Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

3.6.1 Access Gateway Appliance Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

3.6.2 Linux Access Gateway Service Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

3.6.3 Windows Access Gateway Service Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 44

3.6.4 Client Access Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

3.6.5 Access Gateway Feature Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

3.7 SSL VPN Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

3.7.1 Windows Client Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

3.8 Virtual Machine Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

3.8.1 Keeping Time Synchronized on the Access Manager Devices . . . . . . . . . . . . . . . . . 48

3.8.2 How Many Virtual Machines Per Physical Machine. . . . . . . . . . . . . . . . . . . . . . . . . . 49

3.8.3 Which Network Adapter to be used for VMWare ESX. . . . . . . . . . . . . . . . . . . . . . . . 49

4 Installing the Access Manager Administration Console 51

4.1 Installation Procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

4.1.1 Installing on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

4.1.2 Installing on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

4.2 Configuring the Administration Console Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

4.2.1 Linux Administration Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

4.2.2 Windows Administration Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

4.3 Logging In to the Administration Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

4.4 Enabling the Administration Console for Multiple Network Interface Cards. . . . . . . . . . . . . . . 59

4.5 Administration Console Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

5 Installing the Novell Identity Server 61

5.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

5.2 Installing on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

5.3 Installing on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

6 Installing the Linux Access Gateway Appliance 67

6.1 Prerequisites for the Access Gateway Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

6.2 Boot Screen Function Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

6.3 Installing the Access Gateway Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

6.4 Creating Custom Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

6.5 Viewing the Linux Installation Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

7 Installing the Access Gateway Service 77

7.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

7.2 Installing the Access Gateway Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

7.3 Silently Installing the Access Gateway Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

8 Installing the SSL VPN Server 83

8.1 Installing the ESP-Enabled SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

8.1.1 Deployment Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

8.1.2 Installing the ESP-Enabled SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

8.2 Installing the Traditional SSL VPN Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

8.2.1 Deployment Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

8.2.2 Installing the Traditional Novell SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

8.3 Installing the Key for the High-Bandwidth SSLVPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Contents 7

8.4 Verifying That Your SSL VPN Service Is Installed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

9 Upgrading Access Manager Components 95

9.1 Upgrading from the Evaluation Version to the Purchased Version . . . . . . . . . . . . . . . . . . . . . 95

9.2 Upgrading from Access Manager 3.1 SP2 or 3.1 SP2 IR3 to 3.1 SP3. . . . . . . . . . . . . . . . . . . 96

9.3 Migrating to Newer Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

9.3.1 Migrating Administration Consoles from SLES 10 to SLES 11 . . . . . . . . . . . . . . . . . 97

9.3.2 Migrating Administration Consoles with or without Identity Servers from Windows 2003

to Windows 2008. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

9.3.3 Migrating Identity Servers from SLES 10 to SLES 11 . . . . . . . . . . . . . . . . . . . . . . . 100

9.3.4 Migrating Stand-Alone Identity Servers from Windows 2003 to Windows 2008 . . . 101

9.3.5 Migrating to the SLES 11 Access Gateway Appliance . . . . . . . . . . . . . . . . . . . . . . 101

9.3.6 Migrating the SSL VPN Server to SLES 11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

9.4 Upgrading the Administration Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

9.4.1 Upgrading the Linux Administration Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

9.4.2 Upgrading the Windows Administration Console. . . . . . . . . . . . . . . . . . . . . . . . . . . 106

9.5 Upgrading the Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

9.5.1 Upgrading the Linux Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

9.5.2 Upgrading the Windows Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

9.5.3 Access Failure Issues with the Intersite Transfer Service . . . . . . . . . . . . . . . . . . . . 110

9.6 Upgrading the Linux Access Gateway Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

9.6.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

9.6.2 Upgrading the Linux Appliance by Using the Interactive Method . . . . . . . . . . . . . . 112

9.6.3 Upgrading the Linux Appliance by Passing Parameters in the Command Line. . . . 113

9.6.4 Upgrading the Linux Appliance by Using the Administration Console. . . . . . . . . . . 113

9.6.5 Installing or Updating the Latest Linux Patches. . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

9.6.6 Session Stickiness Upgrade Issue in 3.1 SP3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

9.7 Upgrading the Access Gateway Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

9.7.1 Upgrading the Linux Access Gateway Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

9.7.2 Upgrading the Windows Access Gateway Service . . . . . . . . . . . . . . . . . . . . . . . . . 123

9.8 Upgrading the SSL VPN Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

9.8.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

9.8.2 Upgrade Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

9.8.3 Upgrading SSL VPN Installed on a Separate Machine . . . . . . . . . . . . . . . . . . . . . . 125

9.9 Verifying Version Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

10 Removing Components 127

10.1 Uninstalling the Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

10.1.1 Deleting Identity Server References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

10.1.2 Uninstalling the Linux Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

10.1.3 Uninstalling the Windows Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

10.2 Reinstalling an Identity Server to a New Hard Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

10.3 Uninstalling the Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

10.3.1 Uninstalling the Windows Access Gateway Service . . . . . . . . . . . . . . . . . . . . . . . . 129

10.3.2 Uninstalling the Linux Access Gateway Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

10.4 Uninstalling the Administration Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

10.4.1 Uninstalling the Linux Administration Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

10.4.2 Uninstalling the Windows Administration Console. . . . . . . . . . . . . . . . . . . . . . . . . . 131

10.5 Uninstalling the SSL VPN Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

10.5.1 Deleting the SSL VPN Server References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

10.5.2 Uninstalling the SSL VPN Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

10.5.3 Uninstalling the RPM Key for High Bandwidth SSL VPN . . . . . . . . . . . . . . . . . . . . 132

8 Novell Access Manager 3.1 SP3 Installation Guide

11 Migrating from iChain to Access Manager 133

11.1 Understanding the Differences between iChain and Access Manager . . . . . . . . . . . . . . . . . 133

11.1.1 Component Differences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

11.1.2 Feature Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

11.2 Planning the Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

11.2.1 Possible Migration Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

11.2.2 Outlining the Migration Requirements for Each Resource. . . . . . . . . . . . . . . . . . . . 142

11.3 Migrating Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

11.3.1 Setting Up the Hardware and Installing the Software . . . . . . . . . . . . . . . . . . . . . . . 144

11.3.2 Using an L4 Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

11.3.3 Configuring the Identity Server for Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 145

11.3.4 Configuring System and Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

11.3.5 Migrating the First Accelerator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

11.3.6 Enabling Single Sign-On between iChain and Access Manager. . . . . . . . . . . . . . . 158

11.3.7 Migrating Resources with Special Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . 161

11.3.8 Moving Staged Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

11.3.9 Removing iChain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

A Troubleshooting Installation and Upgrade 175

A.1 Troubleshooting a Windows Administration Console Installation. . . . . . . . . . . . . . . . . . . . . . 175

A.2 Troubleshooting a Windows SSL Renegotiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

A.3 Troubleshooting an Identity Server Import and Installation . . . . . . . . . . . . . . . . . . . . . . . . . . 177

A.3.1 The Identity Server Fails to Import into the Administration Console . . . . . . . . . . . . 177

A.3.2 Reimporting the Identity Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

A.3.3 Check the Installation Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

A.4 Troubleshooting a Linux Access Gateway Appliance Installation . . . . . . . . . . . . . . . . . . . . . 179

A.4.1 Some of the New Hardware Drivers or Network Cards Are Not Detected during

Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

A.4.2 After Reinstalling the Access Gateway, SSL Fails . . . . . . . . . . . . . . . . . . . . . . . . . 180

A.4.3 Reverting to an Earlier Snapshot of the Access Gateway Appliance Can Cause Multiple

Crashes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

A.4.4 Manually Configuring a Network Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

A.4.5 Manually Setting and Deleting the Default Gateway . . . . . . . . . . . . . . . . . . . . . . . . 182

A.4.6 Manually Configuring the Hostname, Domain Name, and DNS Server. . . . . . . . . . 182

A.4.7 Verifying Component Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

A.4.8 Signature Error in SLES 11 Network Mode of Installation. . . . . . . . . . . . . . . . . . . . 184

A.5 Troubleshooting the Access Gateway Service Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . 184

A.5.1 Troubleshooting the Linux Access Gateway Service Installation . . . . . . . . . . . . . . 184

A.5.2 Troubleshooting the Windows Access Gateway Service Installation. . . . . . . . . . . . 184

A.6 Troubleshooting the SSL VPN Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

A.6.1 Manually Uninstalling the Enterprise Mode Thin Client . . . . . . . . . . . . . . . . . . . . . . 185

A.6.2 SSL VPN Health Status Is Yellow after an Upgrade . . . . . . . . . . . . . . . . . . . . . . . . 186

A.7 Troubleshooting the Access Gateway Import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

A.7.1 Repairing an Import. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

A.7.2 Triggering an Import Retry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

A.7.3 Fixing Potential Configuration Errors on the Access Gateway Appliance . . . . . . . . 189

A.7.4 Troubleshooting the Import Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

A.8 Troubleshooting an Access Gateway Appliance Upgrade. . . . . . . . . . . . . . . . . . . . . . . . . . . 194

A.8.1 After You Migrate from SLES 9 to SLES 11, the Health Status Indicates That the

Embedded Service Provider Cannot Find the Keystores . . . . . . . . . . . . . . . . . . . . 194

A.8.2 Embedded Service Provider Issues After Upgrading . . . . . . . . . . . . . . . . . . . . . . . 195

A.8.3 Proxy Stops Responding after Trying to Upgrade with the Wrong Upgrade RPM . 196

A.8.4 Pending Commands After an Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

A.8.5 After You Upgrade to Version 3.1, the New Alerts for Auditing Do Not Appear . . . 196

Contents 9

A.8.6 After Upgrading, the Access Gateway Health Status Indicates That It Is Waiting for a

Policy Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

A.8.7 Upgrading the Access Gateway Appliance Randomly Stops the Embedded Service

Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

A.8.8 Upgrading the Access Gateway Appliance Causes Session Stickiness Issues . . . 197

A.9 Troubleshooting a Linux Administration Console Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . 198

A.9.1 After You Upgrade from SLES 9 to SLES 10, Access Manager 3.1 SP2 Fails to Install

198

A.9.2 Upgrade Hangs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

A.9.3 Multiple IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

A.9.4 Certificate Command Failure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

A.10 Troubleshooting the Uninstall of the Access Gateway Service . . . . . . . . . . . . . . . . . . . . . . . 200

A.11 Troubleshooting the Uninstall of the Windows Identity Server. . . . . . . . . . . . . . . . . . . . . . . . 200

A.12 Troubleshooting a Linux SSL Renegotiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

B Modifications Required for a 3.0 Login Page 201

B.1 Modifying the File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

B.2 Sample Modified File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

C What’s New in Previous Releases 211

C.1 What’s New in Access Manager 3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

C.1.1 Administration Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

C.1.2 Identity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

C.1.3 Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

C.1.4 SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

C.1.5 Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

C.1.6 J2EE Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

C.2 What’s New in Access Manager 3.1 SP1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

C.2.1 Identity Server Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

C.2.2 Access Gateway Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

C.2.3 SSL VPN Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

C.2.4 J2EE Agent Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

C.3 What’s New in Access Manager 3.1 SP2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

10 Novell Access Manager 3.1 SP3 Installation Guide

About This Guide 11

About This Guide

The purpose of this guide is to provide an introduction to Novell Access Manager and to describe

the installation, upgrade, and removal procedures.

 Chapter 1, “What’s New in Access Manager 3.1 SP3,” on page 13

 Chapter 2, “Novell Access Manager Product Overview,” on page 17

 Chapter 3, “Installation Requirements,” on page 35

 Chapter 4, “Installing the Access Manager Administration Console,” on page 51

 Chapter 5, “Installing the Novell Identity Server,” on page 61

 Chapter 6, “Installing the Linux Access Gateway Appliance,” on page 67

 Chapter 7, “Installing the Access Gateway Service,” on page 77

 Chapter 8, “Installing the SSL VPN Server,” on page 83

 Chapter 9, “Upgrading Access Manager Components,” on page 95

 Chapter 10, “Removing Components,” on page 127

 Chapter 11, “Migrating from iChain to Access Manager,” on page 133

 Appendix A, “Troubleshooting Installation and Upgrade,” on page 175

 Appendix B, “Modifications Required for a 3.0 Login Page,” on page 201

 Appendix C, “What’s New in Previous Releases,” on page 211

For information about the J2EE Agents, see the Novell Access Manager 3.1 SP3 J2EE Agent Guide.

Audience

This guide is intended for Access Manager administrators. It is assumed that you have knowledge of

evolving Internet protocols, such as:

 Extensible Markup Language (XML)

 Simple Object Access Protocol (SOAP)

 Security Assertion Markup Language (SAML)

 Public Key Infrastructure (PKI) digital signature concepts and Internet security

 Secure Socket Layer/Transport Layer Security (SSL/TLS)

 Hypertext Transfer Protocol (HTTP and HTTPS)

 Uniform Resource Identifiers (URIs)

 Domain Name System (DNS)

 Web Services Description Language (WSDL)

Feedback

We want to hear your comments and suggestions about this manual and the other documentation

included with this product. Please use the User Comments feature at the bottom of each page of the

online documentation, or go to www.novell.com/documentation/feedback.html and enter your

comments there.

12 Novell Access Manager 3.1 SP3 Installation Guide

Documentation Updates

For the most recent version of the Access Manager Installation Guide, visit the Novell Access

Manager Documentation Web site (http://www.novell.com/documentation/novellaccessmanager31).

Additional Documentation

 Novell Access Manager 3.1 SP3 Setup Guide

 Novell Access Manager 3.1 SP3 Administration Console Guide

 Novell Access Manager 3.1 SP3 Identity Server Guide

 Novell Access Manager 3.1 SP3 Access Gateway Guide

 Novell Access Manager 3.1 SP3 Policy Guide

 Novell Access Manager 3.1 SP3 J2EE Agent Guide

 Novell Access Manager 3.1 SP3 SSL VPN Server Guide

Documentation Conventions

In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and

items in a cross-reference path.

What’s New in Access Manager 3.1 SP3

1

13

1

What’s New in Access Manager 3.1

SP3

Novell Access Manager 3.1 SP3 provides a number of key enhancements to various components.

These enhancements improve management, enhance security, and add cross-platform capabilities to

major components. These key features include:

 Section 1.1, “Identity Server Enhancements,” on page 13

 Section 1.2, “Access Gateway Enhancements,” on page 14

 Section 1.3, “Administration Console Enhancements,” on page 14

 Section 1.4, “NAT Support,” on page 15

 Section 1.5, “LDAP Rebind,” on page 15

1.1 Identity Server Enhancements

 Federation Enhancements: The following features are enhanced in the SAML and Liberty

protocols:

 NIDP Principal Consistency: Allows you to set the identity provider session timeout,

configure assertion validity time, overwrite the temporary user, and identify real users. For

more information, see “Configuring Authentication Methods” and “Configuring the

Attribute Matching Method for SAML 1.1” in the Novell Access Manager 3.1 SP3

Identity Server Guide.

 Whitelist of Target URLs: Allows you to access only the target URL which is available

in the domain list. For more information, see “Configuring Whitelist of Target URLs” in

the Novell Access Manager 3.1 SP3 Identity Server Guide.

 Local Method Execution Post Federation: This feature authenticates the user as the

local service provider after the remote password authentication. This features also

configures the assertion validity time and overwrites the temporary user and real user

identifications. For more information, see “Defining User Identification for Liberty and

SAML 2.0” in the Novell Access Manager 3.1 SP3 Identity Server Guide.

 Mapping Between Types and Contracts: The Identity Server is contract-based and this

setting permits an association to be made between a contract and the external provider

assertion. For more information, see “Modifying the Authentication Card for Liberty or

SAML 2.0” in the Novell Access Manager 3.1 SP3 Identity Server Guide.

 Password Fetch Class Extensions: The Novell Access Manager supports password

retrieval of the users who are mapped based on the CN of the user object and attribute

value of the user object in different ways. For more information see, “Configuring

Password Retrieval” in the Novell Access Manager 3.1 SP3 Identity Server Guide.

 SP Brokering: The Novell Access Manager Identity Service acts as a federation gateway or a

service provider broker (SP Broker). This feature is used along with the Intersite Transfer

Service of the identity provider, which enables authentication at a trusted service provider. The

SP Broker feature helps control the authentication flow between several identity providers and

service providers in a federation circle by allowing the administrator to configure policies that

control Intersite Transfers. For example, an administrator can configure a policy with SP

14 Novell Access Manager 3.1 SP3 Installation Guide

Broker that allows only certain users from an identity provider to be authenticated at a given

service provider.For more information, see “SP Brokering ” in the Novell Access Manager 3.1

SP3 Identity Server Guide.

 A-Select Feature Enhancements: The following sections provides information about A-

Select feature.

 Defining Session Synchronization for Liberty or SAML 2.0: You need to configure the

properties for the session synchronization between the service provider and the target

identity provider. For more information, see “Defining Session Synchronization for the A-

Select SAML 2.0 Identity Provider” in the Novell Access Manager 3.1 SP3 Identity Server

Guide.

 Defining Options for Liberty or SAML 2.0: According to Single Logout Profile in

OASIS SAML V2.0 profiles, the session users can use a front channel binding. This

profile is initiated to maximize the successful logout to all users which is propagated by

the session authority. For more information, see “Defining Options for Liberty or SAML

2.0” in the Novell Access Manager 3.1 SP3 Identity Server Guide.

 Configuring Liberty or SAML 2.0 Session Timeout: You can configure the

web.xml

parameter in the ESP (Embedded Service Provider). When timeout is reached, the ESP

creates a SAML 2.0 logout request to remote Identiy Provider over SOAP backchannel.

For more information, see “Configuring the Liberty or SAML 2.0 Session Timeout” in the

Novell Access Manager 3.1 SP3 Identity Server Guide.

1.2 Access Gateway Enhancements

 Load Balancing Feature: The load balance feature at session level helps you to configure the

web servers at different levels. For more information, see “Configuring Web Servers” in the

Novell Access Manager 3.1 SP3 Access Gateway Guide.

 Configuring High Availability: The High Availability option of the Linux Access Gateway

helps improve overall reliability. This section provides information on hardware requirements,

configuration details about fresh installation and upgrade scenarios, and functionality details of

the High Availabiltiy option. For more information, see “Configuring the High Availability

Feature” in the Novell Access Manager 3.1 SP3 Access Gateway Guide.

 Session Stickiness Option: You can use the session stickiness option if multiple Web Servers

are configured for a service. Selecting this option makes the proxy server to use the same web

server for all fills during a session. For more information, see “Configuring Web Servers” in

the Novell Access Manager 3.1 SP3 Access Gateway Guide.

1.3 Administration Console Enhancements

 Policy View Administrator: A policy view administrator has rights only to view policy

containers. The super administrators can create a special type of delegated administrators called

policy view administrators who can only view the policies in the policy container assigned to

them. They policy view administrators can login to Access Manager with their credentials and

they are allowed to view only the policy containers assigned to them. For more information, see

“Administration Console” in the Novell Access Manager 3.1 SP3 Administration Console

Guide.

What’s New in Access Manager 3.1 SP3 15

1.4 NAT Support

The Network Address Translation (NAT) protocol maps all the public IP addresses to communicate

with a single private IP address. The network administrators create a NAT table to map the public-

to-private and private-to-public IP address. The IP address can be static or dynamic.

1.5 LDAP Rebind

Once a new LDAP SSL connection is made, it is kept open for reuse. For every new user requests,

the same LDAP SSL connection can be used to rebind to a different user. The connection

establishment overhead for every LDAP request is removed which boosts the performance in slow

links. The maximum number of connections in the pool and the interval for which a connection can

be kept open (LDAP timeout) can be configured.

16 Novell Access Manager 3.1 SP3 Installation Guide

Novell Access Manager Product Overview

2

17

2

Novell Access Manager Product

Overview

Novell Access Manager is a comprehensive access management solution that provides secure access

to Web and enterprise applications. Access Manager also provides seamless single sign-on across

technical and organizational boundaries. It uses industry standards including Secure Assertions

Markup Language (SAML) and Liberty Alliance protocols. It has a single console for management

and configuration. To provide secure access from any location, it supports multi-factor

authentication, role-based access control, data encryption, and SSL VPN services.

This section discusses the following topics:

 Section 2.1, “How Access Manager Solves Business Challenges,” on page 17

 Section 2.2, “How Access Manager Works,” on page 25

 Section 2.3, “Access Manager Devices and Their Features,” on page 27

2.1 How Access Manager Solves Business

Challenges

As networks expand to connect people and businesses throughout the world, secure access to

business resources becomes increasingly more important and more complex. Gone are the days

when all employees worked from the same office; today’s employees work from corporate, home,

and mobile offices. Equally gone are the days when employees were the only ones who required

access to resources on your network; today, customers and partners require access to resources on

your network, and your employees require access to resources on partners’ networks or at service

providers.

Novell Access Manager lets you provide employees, customers, and partners with secure access to

your network resources, whether those resources are Web applications, traditional server-based

applications, or other content. If your business faces any of the following access-related challenges,

Access Manager can help:

 Protecting resources so that only authorized users can access them, whether those users are

employees, customers, or partners.

 Ensuring that the users who are authorized to use a resource can access that resource regardless

of where the users are currently located.

 Requiring users to manage multiple passwords for authentication to Web applications.

 Making sure users have access only to the resources required for their jobs. In other words,

ensuring that your authorization processes and practices match the business policies that define

access privileges to your network resources.

 Revoking network access from users in minutes rather than days.

 Protecting users’ privacy and confidential information as they access company resources or

partners’ resources.

 Proving compliance with your business policies, privacy laws such as Sarbanes-Oxley, HIPAA,

or European Union, and other regulatory requirements.

18 Novell Access Manager 3.1 SP3 Installation Guide

The following sections expand on these challenges and introduce the solutions provided by Access

Manager. If you are already aware of the business solutions provided by Access Manager, you might

want to skip to the technical introduction provided in Section 2.2, “How Access Manager Works,”

on page 25.

 Section 2.1.1, “Protecting Resources While Providing Access,” on page 18

 Section 2.1.2, “Managing Passwords with Single Sign-On,” on page 19

 Section 2.1.3, “Enforcing Business Policies,” on page 20

 Section 2.1.4, “Sharing Identity Information,” on page 21

 Section 2.1.5, “Protecting Identity Information,” on page 23

 Section 2.1.6, “Complying with Regulations,” on page 24

2.1.1 Protecting Resources While Providing Access

The primary purpose of Access Manager is to protect resources by allowing access only to users you

have authorized. You can control access to Web (HTTP) resources as well as traditional server-based

(non-HTTP) resources. As shown in the following illustration, those users who are authorized to use

the protected resources are allowed access, while unauthorized users are denied access.

Access Manager secures your protected Web resources from Internet hackers. The addresses of the

servers that host the protected resources are hidden from both external and internal users. The only

way to access the resources is by logging in to Access Manager with authorized credentials.

Access Manager protects only the resources you have set up as protected resources. It is not a

firewall and should always be used in conjunction with a firewall product.

Access Manager

Authorized User Authorized User Unauthorized User

Protected Web

Resources

Non-HTTP Services

(E-mail, Telnet,

Thin Client, FTP)

Novell Access Manager Product Overview 19

Because not all users work from within the confines of your local network, access to resources is

independent of a user’s location, as shown in the following illustration. Access Manager provides

the same secure access and same experience whether the user is accessing resources from your local

office, from home, or from an airport terminal.

2.1.2 Managing Passwords with Single Sign-On

If your organization is like most, you have multiple applications that require user login. Multiple

logins typically equates to multiple passwords. And multiple passwords mean forgotten passwords.

Authentication through Access Manager not only establishes authorization to applications (see

Protecting Resources While Providing Access above), but it can also provide authentication to those

same applications. With Access Manager serving as the front-end authentication, you can deploy

standards-based Web single sign-on, which means your employees, partners, and customers only

need to remember one password or login routine to access all the corporate and Web-based

applications they are authorized to use. That means far fewer help desk calls—and the reduced

likelihood of users resorting to vulnerable written reminders.

Access Manager

Authorized User Authorized User

Authorized User

Protected Web

Resources

Non-HTTP Services

(E-mail, Telnet,

Thin Client, FTP)

20 Novell Access Manager 3.1 SP3 Installation Guide

By simplifying the use and management of passwords, Access Manager helps you enhance the

user’s experience, increase security, streamline business processes, and reduce system

administration and support costs.

2.1.3 Enforcing Business Policies

Determining the access policies for an organization is often complicated and difficult, but the

difficulty pales in comparison to enforcing the policies. Your IT personnel can spend hours

attempting to give users the correct access to resources, and hours more retracing their steps to see

why the users can’t access what they should be able to. What’s worse, you might never know about

the situations where users are granted access to resources they shouldn’t be accessing.

Access Manager automates the granting and removing of access through the use of roles and

policies. As shown in the following illustration, users are assigned to roles that have access policies

associated with them. Each time a user authenticates through Access Manager, the user’s access is

determined by the policies associated with the user’s roles.

In the following example, users assigned to the Accounting role receive access to the Accounting

resources, Payroll users receive access to the Payroll resources, and Accounting managers receive

access to both the Accounting and Manager resources.

Login

Authenticate

Access Manager

Authorized User

Role AssignmentUser Authentication Policy Evaluation

and Enforcement

Access to Resource

Page is loading ...

Novell Access Manager 3.1 SP3 Installation guide

Related papers

Other documents